Category: UNCATEGORIZED

We’ve talked about securing your startup, the need to understand phishing risks and how not to handle a data breach. But we haven’t yet discussed one of the more damaging threats that all businesses large and small face: the insider threat.

The insider threat is exactly as it sounds — someone within your organization who has malicious intent. Your employees will be one of your biggest assets, but human beings are the weakest link in the security chain. Your staff are already in a privileged position — in the sense that they are in a place where they have access to far more than they would as an outsider. That means taking data, either maliciously or inadvertently, is easier for staff than it might be for a hacker.

“Organizations need to understand that the threats coming from inside their organizations are as critical as, if not more dangerous than, the threats coming from the outside,” said Stephanie Carruthers, a social engineering expert who serves as chief people hacker at IBM X-Force Red, a division of Big Blue that looks for breaches in IoT devices before — and after — they go to market.

Insider risks can become active threats for many reasons. Some individuals may become disgruntled, some want to blow the whistle on wrongdoing and others can be approached (or even manipulated) by career criminals over debts or other matters in their private life.

There are plenty of examples, many not too far back in recent history.

Today, Microsoft announced a public preview of Microsoft Teams for Linux, the first Office 365 tool that’s available for the open source operating system.

The hope is that by making it available for preview, the company can get feedback from the community and improve it before it becomes generally available. “Starting today, Microsoft Teams is available for Linux users in public preview, enabling high quality collaboration experiences for the open source community at work and in educational institutions,” the company wrote in the blog post announcing the release.

The goal here ultimately is to help get Teams into the hands of more customers by expanding the platforms it runs on. “Most of our customers have devices running on a variety of different platforms such as Windows 10, Linux and others. We are committed to supporting mixed environments across our cloud and productivity offerings, and with this announcement, we are pleased to extend the Teams experience to Linux users,” the company wrote in the blog post.

This announcement significant for a couple of reasons. For starters, Microsoft has had a complicated history with Linux and open source, although in recent years under Satya Nadella it has embraced open source. This shows that Microsoft is willing to put its tools wherever customers need them, regardless of the platform or operating system.

Secondly, since it marks the first Office 365 app on Linux, if there is positive feedback, it could open the door for more apps on the platform down the road.

The announcement also comes against the backdrop of the company’s on-going battles with Slack for enterprise collaboration platform users. In July, Microsoft announced 13 million daily active users on Teams. Meanwhile, Slack has 12 million DAUs. It’s worth noting that Slack has been available on Linux for almost two years.

Today’s devices have been secured against innumerable software attacks, but a new exploit called Plundervolt uses distinctly physical means to compromise a chip’s security. By fiddling with the actual amount of electricity being fed to the chip, an attacker can trick it into giving up its innermost secrets.

It should be noted at the outset that while this is not a flaw on the scale of Meltdown or Spectre, it is a powerful and unique one and may lead to changes in how chips are designed.

There are two important things to know in order to understand how Plundervolt works.

The first is simply that chips these days have very precise and complex rules as to how much power they draw at any given time. They don’t just run at full power 24/7; that would drain your battery and produce a lot of heat. So part of designing an efficient chip is making sure that for a given task, the processor is given exactly the amount of power it needs — no more, no less.

The second is that Intel’s chips, like many others now, have what’s called a secure enclave, a special quarantined area of the chip where important things like cryptographic processes take place. The enclave (here called SGX) is inaccessible to normal processes, so even if the computer is thoroughly hacked, the attacker can’t access the data inside.

The creators of Plundervolt were intrigued by recent work by curious security researchers who had, through reverse engineering, discovered the hidden channels by which Intel chips manage their own power.

Hidden, but not inaccessible, it turns out. If you have control over the operating system, which many attacks exist to provide, you can get at these “Model-Specific Registers,” which control chip voltage, and can tweak them to your heart’s content.

Modern processors are so carefully tuned, however, that such tweak will generally just cause the chip to malfunction. The trick is to tweak it just enough to cause the exact kind of malfunction you expect. And because the entire process takes place within the chip itself, protections against outside influence are ineffective.

The Plundervolt attack does just this, using the hidden registers to very slightly change the voltage going to the chip at the exact moment that the secure enclave is executing an important task. By doing so they can induce predictable faults inside SGX, and by means of these carefully controlled failures cause it and related processes to expose privileged information. It can even be performed remotely, though of course full access to the OS is a prerequisite.

In a way it’s a very primitive attack, essentially giving the chip a whack at the right time to make it spit out something good, like it’s a gumball machine. But of course it’s actually quite sophisticated, since the whack is an electrical manipulation on the scale of millivolts, which needs to be applied at exactly the right microsecond.

The researchers explain that this can be mitigated by Intel, but only through updates at the BIOS and microcode level — the kind of thing that many users will never bother to go through with. Fortunately for important systems there will be a way to verify that the exploit has been patched when establishing a trusted connection with another device.

Intel, for its part, downplayed the seriousness of the attack. “We are aware of publications by various academic researchers that have come up with some interesting names for this class of issues, including “VoltJockey” and “Plundervolt,” it wrote in a blog post acknowledging the existence of the exploit. “We are not aware of any of these issues being used in the wild, but as always, we recommend installing security updates as soon as possible.”

Plundervolt is one of a variety of attacks that have emerged recently taking advantage of the ways that computing hardware has evolved over the last few years. Increased efficiency usually means increased complexity, which means increased surface area for non-traditional attacks like this.

The researchers who discovered and documented Plundervolt hail from the UK’s University of Birmingham, Graz University of Technology in Austria, and KU Leuven in Belgium. They are presenting their paper at IEEE S&P 2020.

Facebook is making its line of Portal-branded smart video calling devices more relevant to consumers, including those who don’t even have a Facebook account. The company today says its Portal family of products will now work with just a WhatsApp account, allowing users to make video calls to friends and family, as well as access Portal features like its interactive “Story Time.” In addition, the Portal devices are gaining new AR features, support for Facebook’s Workplace product for businesses, and a number of new streaming services, including Amazon Prime Video, FandangoNOW, SlingTV, and others, and more.

The company’s original Facebook Portal devices were aimed at helping connect friends and family over video calling devices used in the home. This year, it expanded the line to include a video chat set-top box for TVs, called Portal TV, to give Facebook better traction in the living room.

But video calling alone has not proved to be enough of a selling point for Portal, whose sales are reportedly “very low,” according to supply chain sources. That’s led Facebook to tacking on new features and services that give consumers more of a reason to invite Facebook into their home.

That trend continues today with the notable addition of WhatsApp login.

This feature allows Portal owners to sign in to the device using only their WhatsApp account. They don’t even need a Facebook account at all. This opens up Portal to a potentially larger market, given WhatsApp’s 1.5 billion monthly users, not all of whom also have Facebook accounts.

In addition, Facebook Portal is looking to find traction in businesses, by adding support for Facebook Workplace — its corporate version of Facebook that’s used by 3 million paying users, from mostly enterprise-sized businesses. The company announced its plans to launch a Workplace app on Portal earlier this fall, and now it’s rolled out.

For fun, Facebook is adding a lip-sync AR app called Mic Drop to Portal TV, which includes songs from the Backstreet Boys, Coldplay, Katy Perry, and others. Portal TV is also gaining Photo Booth, which lets you take selfies, photos, and videos to share through Messenger.

Across the Portal line, the interactive, AR Story Time app is being updated to include new renditions of classics like Little Red Riding Hood and Goldilocks and the Three Bears, plus new tales from Llama Llama, Pete the Cat and Otto.

Portal users today will be able to livestream from their device directly to their Facebook Profile via Facebook Live — an obvious addition for a streaming video product like this, and one that could help Portal find customers among the influencer, gamer, or vlogger crowd, perhaps.

Facebook’s co-watching feature, Watch Together, is also coming to Portal Mini, Portal, and Portal+ so users can view Facebook Watch shows and programs together.

Portal is slowly edging its way into the streaming media player market, as well, with added support for a number of streaming services, including Amazon Prime Video. The company had announced Prime Video was on its way when it debuted new hardware this fall, but the service was not available at launch.

Now, Prime Video is supported in the U.S., U.K., Canada, and France, along with the recently added FandangoNOW and Sling TV in the U.S. For music and podcasts, Deezer is also supported, plus Crave in Canada and France Télévisions in France.

The additions make Portal products more than just fancy video chat cameras, but they don’t solve Portal’s larger challenge: that people aren’t comfortable bringing Facebook products into their homes. The company has repeatedly broken trust with its customer base. And while its users may not be able to quit Facebook just yet, they aren’t rushing out to integrate it more deeply in their lives, either.

The addition of Prime Now and other streaming services also places Portal into a different category of devices, where it has to compete with more advanced media players like Apple TV, Amazon’s Fire TV and Fire TV Stick, Chromecast, Roku, Android TV, and others. In this market, Portal’s small handful of supported streaming services just isn’t enough to make it a compelling competitor in this race.

But Facebook isn’t giving up on Portal, having launched a huge marketing blitz featuring promotions in ABC TV shows as well as TV commercials starring the likes of Kim Kardashian West, Jennifer Lopez, and lately, the Muppets. According to Kantar, Facebook spent nearly $62.7 million out of $97.3 million on TV advertising in the first half of the year, Variety reported.

Facebook says it’s planning to bring more content and experiences to Portal with future software updates.

Back in 2017, Y Combinator began offering a 10 week, once-a-year online course called Startup School. Part forum community and part video classroom, the program offers up a variety of lectures on topics like raising money or evaluating startup ideas, as led by YC partners and other entrepreneurs from their network.

Three years and 40,000+ students later, they’re switching up the schedule; beginning in 2020, Startup School will now be running multiple times per year. It’s also shifting from being a 10-week program to being an 8-week program.

In its first few years, Y Combinator set a hard cap on the number of founders it accepted into each Startup School session. After acceptance letters were accidentally sent to the wrong teams in 2018, the company opted to let in everyone who applied, modifying the program to focus less on personal advising and more on small peer-to-peer advice groups. It sounds like they’re sticking with this strategy moving forward, as an FAQ on the Startup School site notes that they “do not have a limit on the number of participants” with this year’s sessions.

Took part in Startup School previously and curious if it’s worth doing again? YC says that while “a few lectures will be updated or replaced”, the video content of 2020’s Startup School will be largely the same as 2019. The structure of the course itself will see some changes, though: they’ll be doing fewer group video chat sessions, but introducing weekly Q&A sessions with YC partners.

Just how many times “multiple times per year” will actually be still seems to be up in the air; YC tells me that they’re still working that out. In a post announcing the change, YC notes that its first 2020 course will start in January (whereas previous sessions have started closer to mid-year.)

Also still a bit up in the air is YC’s Startup School grant program. In previous years, graduates of the course were able to apply for an equity-free grant (initially $10,000, later increased to $15,000). With Startup School now occurring multiple times per year, YC says it’s “in the process of evaluating the grant program.”

In the same post, YC outlined some stats from this most recent year — like that of 41,777 founders who took part in the course, 10,193 graduated. They say that 57% of the founders worked on their startups full-time, and 62% of founders were from outside of the US.

That last bit seems key to YC’s strategy here. Startup School is at least partly meant to serve as a potential funnel into the core YC accelerator program. By putting everything online, they’re letting people from around the world get their foot in the door and get the ball rolling without making the massive commitment of moving to the US.

Alarm clocks were one of the most obvious implementations since the introduction of the smart screen. Devices like Lenovo’s Smart Clock and the Amazon Echo Show 5 have demonstrated some interesting in the bedside display form factor, and Google has worked with the former the refine the experience.

This morning, the company introduced a handful of features to refine the experience. “Impromptu” is an interesting new addition to the portfolio that constructs a customized alarm based on a series of factors, including weather and time of day.

Here’s what an 50 degree, early morning wake up sounds like:

Not a bad thing to wake up to. A little Gershwin-esque, perhaps. 

Per a blog post that went up this morning, the alarm ringtone is based on the company’s open-source project, Magenta. Google AI describes it thusly,

Magenta was started by researchers and engineers from the Google Brain team, but many others have contributed significantly to the project. We develop new deep learning and reinforcement learning algorithms for generating songs, images, drawings, and other materials. But it’s also an exploration in building smart tools and interfaces that allow artists and musicians to extend their processes using these models. We use TensorFlow and release our models and tools in open source on our GitHub.

The new feature rolls out today.

Open source is a great source of free tools for developers, but as these projects proliferate, and some gain in popularity, the creators sometimes look for ways to monetize successful ones. The problem is that it’s hard to run a subscription-based, dual-license approach and most developers don’t even know where to start. Enter Israeli startup xs:code, which has created a platform to help developers solve this problem.

“xs:code is a monetization platform for open source projects. Unlike donation platform which are pretty popular today, xs:code allows open source developers to provide added value in exchange for payments. That comes on top of what they offer for free. This added value can be a different license, more features, support services or anything they can think of,” Netanel Mohoni, co-founder and CEO of xs:code told TechCrunch.

This does not mean the open source part of this goes away, only that the company is providing a platform for those developers who want to monetize their work, Mohoni said. “Companies pay for accessing the code, and they enjoy better software created by motivated developers who are now compensated for their work. Because our solution makes sure that the code remains open source, developers can continue accepting contributions so the community enjoys better code than ever before,” he explained.

Photo: xs:code

What’s more, project owners can even distribute funds earned from subscriptions to community contributors if they wish to do so, giving them a way to pay contributors, who help make the project better.

The way it generally works is that the open source developers create a dual license model. One has the raw open source code, and one is the commercial version, which could have additional functionality or support that customers would be willing to pay for via a subscription.

The developers create a private repository on GitHub, and connect to xs:code, where they can share a link to the paid version. Users hit the paywall and can subscribe. Xs:code collects the money and distributes it in whichever way the developers have indicated. The company takes 25 percent as a commission for maintaining the platform and collecting the revenue.

The platform is available for the first time starting today in Beta. You can sign up for free. Xs:code has raised $500,000 in pre-seed money to date.

Passport, a mobility management platform, just raised a $65 million Series D round from Rho Capital Partners, H.I.G. Growth Partners and ThornTree Capital Partners. This round brings its total funding to $125 million.

The plan is to use the funding to further invest in Passport’s mobility software platform and expand into digital parking payments.

In March, Passport partnered with Charlotte, N.C., Detroit, Mich. and Omaha, Neb. to create a framework to apply parking principles, data analysis and more to the plethora of shared micromobility services.

With Passport, cities can easily analyze scooter usage, parking patterns and curb utilization. Passport also enables cities to implement real-time curbside pricing and payments and better manage scooter placement. The idea is that cities and mobility providers will work better together if there are economic incentives in place.

Other than micromobility, Passport focuses on helping cities solve for issues with parking, enforcement and transit.

“In the future, almost everyone in the world will live in a city, so there’s no more important challenge to work on than how people move throughout communities and transact with cities,” Passport co-founder and CEO Bob Youakim said in a statement. “We envision a world where mobility is seamless. To bring this vision to life, we are creating an open ecosystem where any entity – a connected or autonomous vehicle, a mapping app, or a parking app – can leverage our transactional infrastructure to facilitate digital parking payments.”

Pear, a six-year-old, Palo Alto, Ca.-based seed-stage firm whose bets on nascent startups are closely watched by early stage investors, has closed on $160 million in capital commitments from a wide array of backers, including a previous investor, the University of Chicago.

It’s more than twice the $75 million that the firm raised for its second fund in 2016 and triple the $50 million it raised for its debut fund back in 2013. We gather the firm had to turn down quite a few interested parties, too, in order to stick to what it’s most comfortable doing, which is to make bets on very nascent startups.

A little less than half of these are launched by college students or recent grads, many of them at nearby Stanford but also at a growing number of other top universities, including UC Berkeley, Harvard and M.I.T. Pear also invests roughly 55 percent of its capital in founders who’ve logged some time in the working world, including at Uber, Facebook and Google.

We talked last week with the firm’s cofounders, Mar Hershenson and Pejman Mar, who’ve known one another for 20 years. Nozad famously sold rugs to tech millionaires before becoming a full-time investor; one early bet was on the early smartphone company Danger, which sold to Microsoft in 2008 for $500 million. Danger was cofounded by Hershenson, a three-time entrepreneur whose husband cofounded the company and Nozad was an investor. He’d also invested in Hershenson’s intellectual property startup Sabio Labs, which was later acquired by a now defunct software company called Magma Design Automation).

The pair said that little will change with this new, far bigger fund. The goal remains to be the “best partner on the ground for the entrepreneur from ground zero,” said Hershenson, meaning Pear doesn’t need to see revenue or even customers so much as to trust a team and its vision. Asked more specifically what it is that they look for, Nozad likened it to understanding “really good wine; it’s hard to explain it in words but once you have it, you know it.” Adds Hershenson, “We spend a lot of time with founders and a lot of it comes down to their commitment, how mission driven they are, and their ability to attract talent. You want a captain of the ship, someone who leaves last and who wants to build a product for many people.”

Certainly, the two have plenty of opportunities to meet founders, opportunities that they’ve created for the firm by focusing — to an extreme degree — on building community. In the last year, alone, Pear has hosted roughly 100 events, from a speaker series where it brings in investors and CEOs to speak to founders and students, to workshops, bootcamps, pitch nights, CEO dinners, hackathons and demo days. (Hershenson says one of her favorite evenings every quarter are dinners she has with other women engineers.)

Hershenson and Nozad are also building an organization to help scale their work — as well as hopefully outlast the two of them, they say — and which now includes three partners in addition to the two of them: Ajay Kamat, who focuses on consumer startups and previously founded the of Pear-funded startup Wedding Party, which he sold to Instacart; Ian Taylor, who heads up Pear’s “Dorm” programs and concentrates on supporting student founders; and Nils Bunger, who previously founded the desktop virtualization company Pano Logic before founding MobileSpan, a maker of enterprise file-sharing software that he sold to Dropbox. Bunger focuses, unsurprisingly, on helping Pear to uncover promising business-to-business startups.

The approach seems to be working. Among dozens of other startups, Pear was early to a number of big and growing companies, including the now publicly traded blood diagnostics company Guardant Health, the delivery company DoorDash, the HR and payroll software company Gusto, and Branch, a company that helps brands drive sales through its linking infrastructure.

Some of its newer bets seem interesting, too. Among these is Nightfall, a company whose tech scans structured and unstructured data in hundreds of apps for sensitive information that it then acts to secure, and which launched publicly last month with $20.3 million in funding. Another is ixLayer, a young San Francisco-based infrastructure startup promising to make it easier for its customers to offer home DNA tests by providing them all the services they need, from a custom storefront marketplace and patient portal, to EHR data access, and payment handling.

Indeed, like another six-year-old firm that we wrote about yesterday called SignalFire, Pear isn’t focused on themes so much as on founders, no matter where they might find them. As Nozad told us last week during our call, “We’re not a  research-driven fund, We think founders know better than us. We want to see future through their eyes.”

If you’re interested in learning more about Pear and its portfolio companies, the team interviewed roughly a dozen of their founders for the video below about how Pear has helped in their respective entrepreneurial journeys. Among those to sing the firm’s praises: Tony Xu of DoorDash and Shubham Goel and Ray Zhou of the relationship intelligence platform Affinity.

It wasn’t that long ago that digitally-native, vertically-integrated brands (DNVBs) were the talk of the startup world.

Venture capitalists and founders watched as Warby Parker, Casper, Glossier, Harry’s and Honest Company became the belles of the D2C ball, trotting their way towards unicorn valuations. Not long after, the “startup studio” was unmasked as the elusive unicorn breeding grounds (think Hims). Today, there’s yet another buzzword that’s all the rage and it goes by the name “D2C Holding Company.” And it’s not going away anytime soon.

What are DNVBs?

In 2017, DNVBs were a game-changer. Different than e-commerce, DNVBs sell products online directly to consumers and maintain control and transparency through each stage of the production and distribution process, all without the involvement of middlemen. This allows DNVBs to determine where and how their products are sold and to collect customer data that helps optimize their marketing strategies. 

DNVBs have exploded over the last decade, growing sales and venture capital funding at a rapid pace. These brands use digital engagement strategies to create stronger relationships with consumers, which — when implemented alongside captivating content — contribute heavily to brand success by increasing customer LTV and creating compounding unit economics.

The problem with DNVBs

In the last three years alone, more DNVBs have launched than in the entirety of the previous decade.

While this growth is encouraging, the problem is that these DNVBs are raising so much venture capital that in order to meet the return requirements of their investors, they need a significant purchase offer or IPO valuation. With more than 85 percent of acquisitions happening below $250 million in purchase price, strategic acquisitions offers that meet investor expectations are few and far between.

This ultimately creates a state of startup purgatory where DNVBs have no choice but to take a downround to find a lifeline — sorry, Honest Company — making it difficult to develop disciplined operational habits and achieve sustainable growth. With these challenges becoming more glaringly apparent in recent years, there came a need for a new approach to D2C at large. Enter the modern D2C holding company.

Make way for the D2C holding company model

Today’s version of the holding company model takes what companies like Procter & Gamble and Unilever did in the 1950s and modernizes it for the existing D2C market. Instead of taking a siloed approach, brands pool resources, operational costs and institutional knowledge to accelerate growth and achieve profitability at a faster rate. 

DNVB darlings Harry’s and Glossier are great examples of this. Harry’s diversification efforts have been centerstage as the company works to grow beyond men’s grooming to include personal care for men and women, household items and baby products. In May, Edgewell Personal Care, which owns brands like Schick, Banana Boat, and Wet Ones, acquired Harry’s for $1.37 billion. Glossier is also working to diversify its portfolio, with the launch of Glossier Play, a younger, more colorful sister brand to its original.

For DNVBs to successfully pivot to a holding company model, they will need to prioritize 1) diversification to satisfy customers’ short attention spans, 2) a data-first mindset to deliver the best possible customer experience, and 3) operational and capital efficiency to not only stay afloat, but thrive. 

An evolving landscape

The landscape for D2C holding companies is just starting to take shape, but here are some of the key players who have adopted this approach and are finding early success: